Hostnames in pg_hba.conf
От | Bart Samwel |
---|---|
Тема | Hostnames in pg_hba.conf |
Дата | |
Msg-id | ded01eb21002110513n296d60b7me5255820a69a4bff@mail.gmail.com обсуждение исходный текст |
Ответы |
Re: Hostnames in pg_hba.conf
("Kevin Grittner" <Kevin.Grittner@wicourts.gov>)
Re: Hostnames in pg_hba.conf (Mark Mielke <mark@mark.mielke.cc>) Re: Hostnames in pg_hba.conf (Tom Lane <tgl@sss.pgh.pa.us>) Re: Hostnames in pg_hba.conf (Peter Eisentraut <peter_e@gmx.net>) Re: Hostnames in pg_hba.conf (Peter Eisentraut <peter_e@gmx.net>) |
Список | pgsql-hackers |
Hi there,<br /><br />I've been working on a patch to add hostname support to pg_hba.conf. It's not ready for public displayyet, but I would just like to run a couple of issues / discussion points past everybody.<br /><br /> ISSUE #1: Performance/ caching<br /><br />At present, I've simply not added caching. The reasoning for this is as follows:<br />(a)getaddrinfo doesn't tell us about expiry, so when do you refresh?<br />(b) If you put the cache in the postmaster, itwill not work for exec-based backends as opposed to fork-based backends, since those read pg_hba.conf every time they areexec'ed.<br /> (c) If you put this in the postmaster, the postmaster will have to update the cache every once in a while,which may be slow and which may prevent new connections while the cache update takes place.<br />(d) Outdated cacheentries may inexplicably and without any logging choose the wrong rule for some clients. Big aargh: people will startusing this to specify 'deny' rules based on host names.<br /><br />If you COULD get expiry info out of getaddrinfo youcould potentially store this info in a table or something like that, and have it updated by the backends? But that's wayover my head for now. ISTM that this stuff may better be handled by a locally-running caching DNS server, if people haveperformance issues with the lack of caching. These local caching DNS servers can also handle expiry correctly, etcetera.<br/><br />We should of course still take care to look up a given hostname only once for each connection request.<br/><br />ISSUE #2: Reverse lookup?<br /><br />There was a suggestion on the TODO list on the wiki, which basicallysaid that maybe we could use reverse lookup to find "the" hostname and then check for that hostname in the list.I think that won't work, since IPs can go by many names and may not support reverse lookup for some hostnames (/etc/hostsanybody?). Furthermore, due to the top-to-bottom processing of pg_hba.conf, you CANNOT SKIP entries that mightpossibly match. For instance, if the third line is for host "<a href="http://foo.example.com">foo.example.com</a>" andthe fifth line is for "<a href="http://bar.example.com">bar.example.com</a>", both lines may apply to the same IP, andyou still HAVE to check the first one, even if reverse lookup turns up the second host name. So it doesn't save you anylookups, it just costs an extra one.<br /><br />ISSUE #3: Multiple hostnames?<br /><br />Currently, a pg_hba entry listsan IP / netmask combination. I would suggest allowing lists of hostnames in the entries, so that you can at least mimicthe "match multiple hosts by a single rule". Any reason not to do this?<br /><br />Comments / bright ideas are welcome,especially regarding issue #1.<br /><br />Cheers,<br />Bart<br />
В списке pgsql-hackers по дате отправления:
Следующее
От: Simon RiggsДата:
Сообщение: Re: Re: [COMMITTERS] pgsql: Remove old-style VACUUM FULL (which was known for a little while